|
|
@@ -33,7 +33,7 @@ PUT /my_index/_bulk?refresh
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-GET my_index/_eql/search
|
|
|
+GET /my_index/_eql/search
|
|
|
{
|
|
|
"query": """
|
|
|
process where process.name = "regsvr32.exe"
|
|
|
@@ -308,7 +308,7 @@ The following EQL search request searches for events with an `event.category` of
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-GET my_index/_eql/search
|
|
|
+GET /my_index/_eql/search
|
|
|
{
|
|
|
"query": """
|
|
|
file where (file.name == "cmd.exe" and agent.id != "my_user")
|
|
|
@@ -418,7 +418,7 @@ These events must also share the same `agent.id` value.
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-GET my_index/_eql/search
|
|
|
+GET /my_index/_eql/search
|
|
|
{
|
|
|
"query": """
|
|
|
sequence by agent.id
|
James Rodewig